-
Notifications
You must be signed in to change notification settings - Fork 99
Systemd
The Systemd section shows how to create a systemd service for KES on linux systems.
First, download the binary for your architecture and OS.
For example on linux/amd64
you can run:
curl -X GET 'https://github.com/minio/kes/releases/latest/download/kes-linux-amd64' --output kes-linux-amd64
sudo install kes-linux-amd64 /usr/local/bin/kes
Once the binary is installed, you can create a new unix user and group for KES:
useradd kes -s /sbin/nologin
If you choose a different user and group name than
kes
, please make sure to update yourkes.service
file.
Thekes
user needs to have read access for the/etc/kes/
directory.
Next, you need to provide the KES server configuration under /etc/kes/config.yml
.
If you haven't created your KES server configuration file you can refer to:
- Our guides to setup KES together with a supported KMS.
- Our documentation for more information about KES server configuration.
- Our annotated example for additional examples and documentation.
The following example is the configuration file from our FileSystem Guide:
address: 0.0.0.0:7373
admin:
identity: disabled # We disable the admin identity since we don't need it in this guide
tls:
key: private.key
cert: public.crt
policy:
my-app:
allow:
- /v1/key/create/app-key*
- /v1/key/generate/app-key*
- /v1/key/decrypt/app-key*
identities:
- ${APP_IDENTITY}
keystore:
fs:
path: ./keys # Choose a directory for the secret keys
Finally, you can create your systemd service by creating a kes.service
file under /etc/systemd/system
[Unit]
Description=KES
Documentation=https://github.com/minio/kes/wiki
Wants=network-online.target
After=network-online.target
AssertFileIsExecutable=/usr/local/bin/kes
[Service]
WorkingDirectory=/etc/kes/
User=kes
Group=kes
ProtectProc=invisible
ExecStart=/usr/local/bin/kes server --config=/etc/kes/config.yaml
# Let systemd restart this service always
Restart=always
# Specifies the maximum file descriptor number that can be opened by this process
LimitNOFILE=65536
# Specifies the maximum number of threads this process can create
TasksMax=infinity
# Disable timeout logic and wait until process is stopped
TimeoutStopSec=infinity
SendSIGKILL=no
# Enable memory locking features used to prevent paging.
AmbientCapabilities=CAP_IPC_LOCK
[Install]
WantedBy=multi-user.target
If KES should use a port number < 1024 (privileged port) with the service running as a regular
user (not root), you will need to add the bind capability via the AmbientCapabilities
directive in the kes.service
file:
[Service]
AmbientCapabilities=CAP_NET_BIND_SERVICE
If you want to start KES after rebooting run:
systemctl enable kes.service
You can prevent KES from starting after reboot anytime by running:
systemctl disable kes.service
To start KES run:
systemctl start kes.service
To stop KES run:
systemctl stop kes.service